Digitally sign the installer

[totaam]

Issue migrated from trac ticket # 1499

component: client | priority: minor | resolution: fixed | keywords: win32

2017-04-13 00:43:14: andrewmunn created the issue

---

Can the installation binary be digitally signed going forward? I think this will help the application get past some corporate security policies once the signing key is whitelisted there.

[totaam]

2017-04-13 08:23:05: @totaam uploaded file xpra-ca.cer (0.8 KiB)

self signed CA cert

[totaam]

2017-04-13 08:24:13: antoine uploaded file install-xpra-ca.png (26.7 KiB)

warning shown when installing the xpra ca file

[totaam]

2017-04-13 08:24:33: antoine uploaded file UAC-warning-verified-publisher.png (35.5 KiB)

UAC warning when installing the signed application

[totaam]

I assume that you are talking about MS Windows installers.

That's now done in r15584 based on the instructions found in How do I create a self-signed certificate for code signing on Windows?.

Note: you will need to install the xpra-ca.cer self signed CA file first using:

certutil -user -addstore Root xpra-ca.cer

You will get a warning that looks like this the first image above.

But then when installing the application, the UAC dialog will look less threatening. (second image)

There are signed windows beta builds you can test: [http://xpra.org/beta/windows].
@andrewmunn: please close this ticket if that works for you.

Ultimately, we should use a proper CA, but at ~$160 per year. Those don't come cheap.
One benefit of those certificates is that they are apparently trusted on Mac OSX too, so we wouldn't have to pay the apple developer fee to get the PKG / DMG signed (the apple developer account key has now expired, that was complete waste of money: see #1340).

[totaam]

Minor build system update: r15642

[totaam]

Not heard back, closing.

[totaam]

See also #3340

[totaam]

See also #3923